SushiSwap dev disagrees with hacker’s ‘billion dollar’ bug finding

The hacker and his alleged vulnerabilities within SushiSwap’s network first came to light through media reports. In the same, the hacker claimed users could endure losses of funds worth over $1 billion due to these threats.

The hacker also conceded to going public with the information only after attempts to bring this to the attention of SushiSwap’s developers confidentially did not result in any action.

In the report, the hacker claimed to have found a “vulnerability within the emergencyWithdraw function in two of SushiSwap’s contracts, MasterChefV2 and MiniChefV2.” These contracts govern the exchange’s 2x reward farms and pools on non-Ethereum sidechains such as Binance Smart Chain, Polygon, Fantom, Avalanche, among others.

The emergencyWithdraw function provides a safety net to users using DeFi services, essentially allowing them to immediately withdraw their Liquidity Provider (LP) tokens in the event of an emergency while forfeiting any rewards earned until that point.

According to the hacker, this feature is misleading as it would not work as intended if no rewards are held within the SushiSwap pool.

If the rewards in the pool dry up, they have to be filled manually by the project’s team by using a multi-signature account while often operating from vastly different time zones. The hacker believes this could lead to waiting times of over 10 hours long, before tokens can be withdrawn. The report further elaborated,

Source : ambcrypto.com